Hurricane Electric's IPv6 Tunnel Broker Forums

Advanced search  

News:

Welcome to Hurricane Electric's Tunnelbroker.net forums!

Author Topic: cannot add _kerberos._kkdcp SRV record  (Read 2458 times)

leenmark

  • Newbie
  • *
  • Posts: 2
    • View Profile
cannot add _kerberos._kkdcp SRV record
« on: May 20, 2015, 05:41:31 AM »

Unable to add _kerberos._kkdcp SRV record

i need to add SRV record for _kerberos._kkdcp.<mydomain> but dns.he.net does not allow me.

WebUI available to me enforces ._protocol, which does not seem to include ._kkdcp as an acceptable option.

I must have such record to get my "Kerberos Key Distribution Center Proxy" implementation going.

Can ._kkdcp pls be added as accepted protocol.

While waiting for such to be achieved, who at dns.he.net can i ask to implement the required SRV record for me?
Logged

kcochran

  • Sr. Network Engineer, Hurricane Electric
  • Administrator
  • Sr. Member
  • *****
  • Posts: 404
    • View Profile
Re: cannot add _kerberos._kkdcp SRV record
« Reply #1 on: May 20, 2015, 11:06:05 AM »

Protocol covers the underlying transport protocol, either TCP or UDP.  I'm not finding any specs adding KKDCP.

MIT's Kerberos docs at http://web.mit.edu/Kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-install/Hostnames-for-the-Master-and-Slave-KDCs.html do not list that as a valid protocol either.
Logged

leenmark

  • Newbie
  • *
  • Posts: 2
    • View Profile
Re: cannot add _kerberos._kkdcp SRV record
« Reply #2 on: May 21, 2015, 12:16:38 AM »

Txs for your prompt response.

Well, then i am stuck. Microsoft DNS server allows me to create such record (although it does not present _kkdcp in its protocol drop down, i can type it in).

And iOS clearly resolves _kerberos._kkdcp (and not _kerberos._kkdcp._tcp) in its iOS Single-Sign-On implementation.
Logged

kcochran

  • Sr. Network Engineer, Hurricane Electric
  • Administrator
  • Sr. Member
  • *****
  • Posts: 404
    • View Profile
Re: cannot add _kerberos._kkdcp SRV record
« Reply #3 on: May 21, 2015, 05:51:02 AM »

That seems kind of odd, since the OSX source for the Kerberos Helper has the following:

http://opensource.apple.com/source/KerberosHelper/KerberosHelper-151/Source/DeconstructServiceName.c
Code: [Select]
#define ValidTransportProtocol(X) ( (X)[0] == 4 && (X)[1] == '_' && \
((((X)[2] | 0x20) == 'u' && ((X)[3] | 0x20) == 'd') || (((X)[2] | 0x20) == 't' && ((X)[3] | 0x20) == 'c')) && \
((X)[4] | 0x20) == 'p')

With something like _kkdcp, it doesn't clarify whether it's using TCP or UDP for the transport, unless it's expecting a CNAME to some secondary SRV, or just trying that one, and then failing back to something else.  I can't find any documented use of that record.
Logged

snarked

  • Hero Member
  • *****
  • Posts: 704
    • View Profile
Re: cannot add _kerberos._kkdcp SRV record
« Reply #4 on: May 29, 2015, 11:33:16 PM »

From that code, it looks as if TCP and UDP are the only two protocols supported for SRV records.  Major bummer.  Some people use other things like SCTP or "udp-lite", but those won't work with your OS.

Also, their way of detecting upper/lower case is encoding dependent, which is bad.  It works for ASCII but fails for EBCDIC.  Hope no IBM mainframes ever want to run their code....
Logged

kcochran

  • Sr. Network Engineer, Hurricane Electric
  • Administrator
  • Sr. Member
  • *****
  • Posts: 404
    • View Profile
Re: cannot add _kerberos._kkdcp SRV record
« Reply #5 on: May 29, 2015, 11:51:25 PM »

Eh, it's a define for an OSX-specific Kerberos helper shim, and would be only applicable for that service itself.  I also don't see KKDCP in /etc/protocols anyway which would seem to be where one might expect to find other potential protocols for the _proto field on a SRV record.
Logged